it-securitynotifies AT lists.piratenpartei.de
Betreff: Sicherheitsankündigungen
Listenarchiv
[IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-081 - FileField Sources - Arbitrary Code Execution
Chronologisch Thread
- From: security-news AT drupal.org
- To: security-news AT drupal.org
- Subject: [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-081 - FileField Sources - Arbitrary Code Execution
- Date: Wed, 11 Aug 2010 20:04:36 +0000 (UTC)
- List-archive: <https://service.piratenpartei.de/pipermail/it-securitynotifies>
- List-id: Sicherheitsankündigungen <it-securitynotifies.lists.piratenpartei.de>
* Advisory ID: DRUPAL-SA-CONTRIB-2010-081
* Project: FileField Sources (third-party module)
* Version: 6.x
* Date: 2010-May-19
* Security risk: Critical
* Exploitable from: Remote
* Vulnerability: Arbitrary Code Execution
-------- DESCRIPTION
---------------------------------------------------------
The FileField Sources module expands on the abilities of FileField, allowing
users to select new or existing files through additional means, including:
Reuse of existing files through an autocomplete textfield or IMCE, or
transfering files directly from remote servers. The module does not sanitize
the file extemsions of files that have been transfered from remote servers,
allowing for the transfering of files that match allowed extensions but
actually contain malicious code. This could potentially allow an attacker to
transfer scripts to the server and execute them. This vulerability is usually
mitigated by Drupal core's built-in security mechanisms which prevent code
execution of uploads that are within the Drupal files directory. This exploit
should not affect the majority of Drupal sites. Users would also need the
ability to use the FileField Sources module which requires permission to
create or edit a node that has a FileField with FileField Sources configured
for it.
-------- VERSIONS AFFECTED
---------------------------------------------------
* FileField Sources module for Drupal 6.x versions prior to 6.x-1.2
Drupal core is not affected. If you do not use the contributed FileField
Sources [1] module, there is nothing you need to do.
-------- SOLUTION
------------------------------------------------------------
Install the latest version:
* If you use the FileField Sources module for Drupal 6.x upgrade to
FileField Sources 6.x-1.2 [2]
See also the FileField Sources project page [3].
-------- REPORTED BY
---------------------------------------------------------
* Apa Sajja
-------- FIXED BY
------------------------------------------------------------
* Nathan Haug [4], module maintainer
* Greg Knaddison [5] of the Drupal security team
-------- CONTACT
-------------------------------------------------------------
The Drupal security team [6] can be reached at security at drupal.org or via
the form at http://drupal.org/contact.
[1] http://drupal.org/project/filefield_sources
[2] http://drupal.org/node/880248
[3] http://drupal.org/project/filefield_sources
[4] http://drupal.org/user/35821
[5] http://drupal.org/user/36762
[6] http://drupal.org/security-team
_______________________________________________
Security-news mailing list
Security-news AT drupal.org
http://lists.drupal.org/mailman/listinfo/security-news
- [IT-SecurityNotifies] [Security-news] SA-CONTRIB-2010-081 - FileField Sources - Arbitrary Code Execution, security-news, 11.08.2010
Archiv bereitgestellt durch MHonArc 2.6.19.